shiro

1.导入jar包

                <dependency>
		    <groupId>org.apache.shiro</groupId>
		    <artifactId>shiro-spring</artifactId>
		    <version>1.4.0</version>
		</dependency>

2.编写配置类

package org.huqi.config;

import java.util.LinkedHashMap;
import java.util.Map;

import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.realm.Realm;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.aop.framework.adapter.DefaultAdvisorAdapterRegistry;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
//标记当前类是spring的配置文件
@Configuration
public class ShiroConfig {
    /**
     * 配置一个SecurityManager 安全管理器
     * */
    @Bean
    public SecurityManager securityManager(Realm myRealm) {
        DefaultWebSecurityManager defaultWebSecurityManager = new DefaultWebSecurityManager();
        defaultWebSecurityManager.setRealm(myRealm);
        return defaultWebSecurityManager;
    }
    //配置一个自定义的Realm的bean,最终将使用这个bean返回的对象来完全我们的认证和授权
    @Bean
    public MyRealm myRealm() {
        return new MyRealm();
    }
    //配置一个Shiro的过滤器bean,这个bean将配置shiro相关的一个规则的拦截
    //例如什么样的请求可以访问什么样的请求不可以范文
    @Bean
    public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) {
        ShiroFilterFactoryBean shiroFilterFactoryBean= new ShiroFilterFactoryBean();
        shiroFilterFactoryBean.setSecurityManager(securityManager);
        shiroFilterFactoryBean.setLoginUrl("/login.html");//配置用户登录请求,如果需要登录就转入到这个登录页面
        shiroFilterFactoryBean.setSuccessUrl("/success.html");//配置登录成功后跳转的地址
        shiroFilterFactoryBean.setUnauthorizedUrl("/unamthorized.html");//配置无访问权限跳转的地址
        Map<String, String> map=new LinkedHashMap<String, String>();
        map.put("/login","anon");//anon配置登录求情不需要验证
        map.put("/logout", "logout");//配置登出请求
        map.put("/admin/**", "authc");//authc 需要登录验证
        map.put("/user/**", "authc");//authc 需要登录验证
        map.put("/**","authc");//配置剩余所有的请求都要进行验证(注意:一定要放到最后),可选的配置
        shiroFilterFactoryBean.setFilterChainDefinitionMap(map);
        return shiroFilterFactoryBean;
    }
    /**
     * 
     * 开启shiro的注解支持
     * */
    @Bean
    public DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator() {
        DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator=new DefaultAdvisorAutoProxyCreator();
        defaultAdvisorAutoProxyCreator.setProxyTargetClass(true);
        return defaultAdvisorAutoProxyCreator;
    }
    /**
     * 开启aop的支持
     * */
    @Bean
    public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager){
        AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor=new AuthorizationAttributeSourceAdvisor();
        authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
        return authorizationAttributeSourceAdvisor;
    }
}

3.编写认证授权类

package org.huqi.config;

import java.util.HashSet;
import java.util.Set;

import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthenticatingRealm;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.realm.Realm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.web.filter.authz.AuthorizationFilter;
import org.apache.tomcat.util.http.parser.Authorization;
/**
 * 标记当前是一个认证和授权的类
 * 
 * */
public class MyRealm extends AuthorizingRealm{
	/**
	 * 用户认证的方法
	 * @param authenticationToken 用户身份,这里存放着用户的账号和密码
	 * @param 用户登录成功后的身份证明
	 * 
	 *	@throws 如果shiro认证失败会抛出各种异常
	 * */
	@Override
	protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
		UsernamePasswordToken myToken=(UsernamePasswordToken)token;
		String userName=myToken.getUsername();
		String passWord=new String(myToken.getPassword());
		if(userName==null||passWord==null) {
			return null;
		}
		//创建密码认证对象,由shiro自动认证密码
		//参数1 数据库中的账号
		//参数2 为密码
		//参数3是当前real
		return new SimpleAuthenticationInfo(userName, "123456", getName());
	}

	@Override
	protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
		Object obj = principals.getPrimaryPrincipal();
		Set<String> set=new HashSet<String>();
		if(obj.equals("admin")) {
			set.add("admin");
			set.add("user");
		}
		if(obj.equals("user")) {
			set.add("user");
		}
		Set<String> prisesions=new HashSet<String>();
		if(obj.equals("user")) {
			prisesions.add("user:add");
			prisesions.add("user:get");
		}
		SimpleAuthorizationInfo info=new SimpleAuthorizationInfo();
		info.addRoles(set);
		info.addStringPermissions(prisesions);
		return info ;
	}



}

4.编写controller

package org.huqi.controller;

import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authc.credential.Md5CredentialsMatcher;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.apache.shiro.authz.annotation.RequiresRoles;
import org.apache.shiro.crypto.hash.Md5Hash;
import org.apache.shiro.crypto.hash.SimpleHash;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;

@Controller
public class TestConfig {
	@RequestMapping("/success")
	public Object loginSuccess() {
		return "/success.html";
	}
	@RequestMapping("/login")
	public Object logout(String userName,String passWord) {
		Subject subject=SecurityUtils.getSubject();
		subject.logout();
		if(!subject.isAuthenticated()) {
			UsernamePasswordToken usernamePasswordToken=new UsernamePasswordToken(userName, passWord);
			try {
				//如果认证失败就会抛出异常
				subject.login(usernamePasswordToken);
			}catch(Exception e) {
				e.printStackTrace();
				return "/login.html";
			}
			
		}
		return "/success.html";
	}
	@RequestMapping("/logout")
	public Object login(String userName,String passWord) {
		return "/login.html";
	}
	/**
	 * 指定当前方法或当前类需要什么角色
	 * */
	@ResponseBody
	@RequiresRoles(value = {"admin"})
	@RequestMapping("admin/test")
	public Object testAdmin() {
	   return "admin";
	}
	@ResponseBody
	@RequiresRoles(value = "user")
	@RequestMapping("user/test")
	public Object testUser() {
	   return "/user";
	}
	/**
	 * 指定什么权限下才能访问
	 * */
	@ResponseBody
	@RequiresPermissions(value = {"user:add"})
	@RequestMapping("user/add")
	public Object add() {
	   return "user:add";
	}
	@ResponseBody
	@RequiresPermissions(value = {"user:get"})
	@RequestMapping("user/get")
	public Object get() {
	   return "user:get";
	}
	@ResponseBody
	@ExceptionHandler
	public Object exception(Exception e) {
		return "权限异常"+e;
	}
}
posted @ 2020-08-15 21:39  动力起点  阅读(160)  评论(0编辑  收藏  举报